Most Helpful Review
Shows the top-consuming applications to help determine if there is a deviation or if we need to increase bandwidth
Find out what your peers are saying about Cisco Firepower NGFW vs. Zscaler Internet Access and other solutions. Updated: July 2019.
377,828 professionals have used our research since 2012.
We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
For us, the most valuable features are the IPX and the Sourcefire Defense Center module. That gives us visibility into the traffic coming in and going out, and gives us the heads-up if there is a potential outbreak or potential malicious user who is trying to access the site. It also helps us see traffic generated by an end device trying to reach out to the world.
The information coming from Talos does a good job... I like the fact that Cisco is working with them and getting the information from them and updating the firewall.
The firepower sensors have been great; they do a good job of dropping unwanted traffic.
Unfortunately in Cisco, only the hardware was good.
The most important point is the detection engine which is now part of the next-generation firewalls and which is supported by Cisco Talos.
The most valuable features are the flexibility and level of security that this solution provides.
Integration with all the other Cisco tools is valuable.
We moved from a legacy firewall to the ASA with FirePOWER, increasing our Internet Edge defense dramatically.
The protection and security features, like URL filtering, the inspection, and the IPS feature, are also very valuable for us. We don't have IT staff at most of the sites so for us it's important to have a robust firewall at those sites
The IPS, as well as the malware features, are the two things that we use the most and they're very valuable.
The most valuable features of Cisco firewalls are the IPS and IDS items. We find them very helpful. Those are the biggest things because we have some odd, custom-made products in our environment. What we've found through their IPS and IDS is that their vulnerability engines have caught things that are near-Zero-day items, inside of our network.
Once you add Firepower onto to it and you start enabling some of its features, you get some IDS/IPS involved with it and you can even do web filtering.
The most valuable feature of the Firepower solution is FireSIGHT, which can be easily managed and is user-friendly.
I like the way Firepower presents the data. It gives you two classifications for the evidence, something based on the priority of the evidence and another classification based on the impact of the evidence in your environment. This makes it very easy to spot the evidence that is most impactful to my environment. Instead of having to go through all the evidence based on that priority, I can focus on the evidence that has the most impact on my environment.
They wanted to leverage something which is equivalent that can give them the next gen features like application awareness and intrusion protection. So that is a major reason they were looking forward to this. The original ASA firewall did not have these features. This was the major reason the customer moved on to Cisco Firepower Threat Defense (FTD). Now they can go ahead and leverage those functionalities.
Cisco Firepower NGFW is really easy to use right now to determine when my file requires a shift from primary to secondary status, and it can be done with automation. Earlier we used to do this with patching.
Zscaler Web Security protects our users in remote locations from internet threats - even if they are not connected to our network.
The most valuable feature is bandwidth control.
The solution offers a distributed organization to master and to control all of the endpoints.
The best thing about Zscaler Internet Access is the website filtering. In the UAE it's quite an important feature because most of the malware comes through the SQL injection and through downloads from websites. Zscaler helps protect against that.
The initial setup was straightforward. The biggest thing for us was to build our own policies. The deployment itself was only a few hours.
The scanning feature is impressive, because they do not introduce a big latency to the traffic.
All internet access flows through the Zscaler proxy, regardless of whether people are in office or remote. I have greater control site access and I minimize the number of compromises that we experience to almost none.
Whether you are in a hotel somewhere, or in Africa, it does not matter. You will get the Zscaler protection presence anywhere.
We were also not too thrilled when Cisco announced that in the upcoming new-gen ASA, iOS was not going to be supported, or if you install them, they will not be able to be managed through the Sourcefire. However, it seems like Cisco is moving away from the ASA iOS to the Sourcefire FireSIGHT firmware for the ASA. We haven't had a chance to test it out.
Our latest experience with a code upgrade included a number of bugs and issues that we ran into. So more testing with their code, before it hits us, would help.
The software was very buggy, to the point it had to be removed.
In NGFW, Cisco should be aligned with the new technology and inspection intelligence because Cisco is far behind in this pipeline.
Most users do not have awareness of this product's functionality and features. Cisco should do something to make them aware of them. That would be quite excellent and useful to organizations that are still using legacy data-center-security products.
There was an error in the configuration, related to our uplink switches, that caused us to contact technical support, and it took a very long time to resolve the issue.
With regards to stability, we had a critical bug come out during our evaluation... not good.
The product would be improved if the GUI could be brought into the 21st Century.
The user interface for the FirePOWER management console is a little bit different from traditional Cisco management tools. If you look at products we already use, like Cisco Prime or other products that are cloud-based, they have a more modern user interface for managing the products. For FirePOWER, the user interface is not very user-friendly. It's a little bit confusing sometimes.
For the new line of FTDs, the performance could be improved. We sometimes have issues with the 41 series, depending what we activate. If we activate too many intrusion policies, it affects the CPU.
The worst part of the entire solution, and this is kind of trivial at times, is that management of the solution is difficult. You manage FireSIGHT through an internet browser. I've had Cisco tell me to manage it through Firefox because that's how they develop it. The problem is, depending on the page you're on, they don't function in the same way. The pages can be very buggy, or you can't resize columns in this one, or you can't do certain things in that one. It causes a headache in managing it.
In Firepower, there is an ability to search and dig into a search, which is nice. However, I'm not a super fan of the way it scrolls. If you want to look at something live, it's a lot different. You're almost waiting. With the ASDM, where it just flows, you can really see it. The second someone clicks something or does something, you'll see it. The refresh rate on the events in Firepower is not as smooth.
I would like to see the inclusion of more advanced antivirus features in the next release of this solution.
Also, they have a Firepower source file that I can work on the ASA device and on Firepower devices. A problem here lies in the way that you manage these devices. Some devices do not support the FMC, and some devices have to be managed through ASDM, and others have to be managed through FMC.
I was just trying to learn how this product actually operates and one thing that I see from internal processing is it does fire-walling and then sends it to the IPS model and any other model that needs to be performed. For example, content checking or filtering will be done in a field processing manner. That is something that causes delays in the network, from a security perspective. That is something that can be improved upon. Palo Alto already has implemented this as a pilot passed processing. So they put the same stream of data across multiple modules at the same time and see if it is giving a positive result by using an XR function. So, something similar can be done in the Cisco Firepower. Instead of single processing or in a sequential manner, they can do something similar to pile processing. Internal function that is something that they can improve upon.
One feature lacking is superior anti-virus protection, which must be added.
Another thing that I would like to see is if Zscaler could have a separate product for direct access. I looked at a private access solution, but I understand there's a separate product that isn't integrated with this.
It also needs better integration with other applications as well. There are some restrictions.
Zscaler should provide adjacent services, which would be complementary to their current offering that could to be more pragmatic for a customer. For example, if you take Akamai, you get multiple sets of services, all depending on the customer and the strategy and the complexity and the problems. In some areas, they are more varied in terms of coverage.
In terms of usage, here in the GCC, it's still growing a growing market, so the combination of DLP, data leak prevention, to a certain extent is fine. But what it requires is user-based access or role-based access. The solution needs to grow into that, which definitely takes time. There's not an easy way to integrate it, when you have a cloud-based solution.
In every cloud service in the world, you have multiple upstream internet providers to create diversity so that if one of your providers fails, your network just continues. In South Africa, there is only one upstream provider, and that's not right. That that's a problem.
I would like to see the ability to choose a pool of IPs for my company, set up rules based on them, and know that those IPs are not used by other companies.
It needs better integration with other applications. It takes a fair amount of regular activity to apply the by-passes because it is very strict in its restrictions and frequently you have to go in and open things up to allow the workforce to work.
The pricing is an issue. It is expensive if you have all of your users in the same location. It is expensive compared to other firewalls on the market.
Pricing and Cost Advice
Pricing varies on the model and the features we are using. It could be anywhere from $600 to $1000 to up to $7,000 per year, depending on what model and what feature sets are available to us.
We used Check Point and the two are comparable. Cost was really what put us onto the ASAs... the price tag for Check Point was exorbitantly more than what it is for the ASA solution.
Always consider what you might need to reduce your wasted time and invest it in other solutions.
Watch out for hidden licensing and incredibly high annual maintenance costs.
We paid about $7,000 for the Cisco firewall, plus another small Cisco router and the lead switch. It was under the combined license. It's a final agreement.
The cost is a big factor for us. This is why we are using it only in our restricted area. They are very much higher than their competitors in the market.
Licensing is expensive compared to other solutions.
Pricing is high, but it is essentially a corporate decision.
Cisco's pricing is high, at times, for what they provide.
Our subscription costs, just for the firewalls, is between $400,000 and $500,000 a year.
The Firepower series of appliances is not cheap. I just got a quote recently for six firewalls that was in the range of over half-a-million dollars. That's what could push us to look to other vendors...
The price of this solution is not good or bad.
We normally license on a yearly basis. The hardware procurement cost should be considered. If you're virtual maybe that cost is eradicated and just the licensing cost is applied. If you have hardware the cost must be covered by you. All the shipping charges will be paid by you also. I don't thing there are any other hidden charges though.
The Cisco licensing agreement in Bangladesh is different than the one in India and in Dubai. It is not a problem, but if you want to subscribe to the yearly subscription, the original cost is really high. Also, if you go for an anti-virus, you pay for an additional yearly subscription.
It's more expensive than Fortinet and Juniper. The price is high compared to other vendors. In general, for the license, it's not that expensive.
Based on the services that you will get, especially the AMP license, the price is very reasonable.
Our monthly fee is around R3000.
Roughly, we might spend $70,000 a month on the solution. We don't pay for anything beyond the standard licensing fee.
The pricing is an issue. It is expensive compared to other firewalls on the market.
Be aware that you will need to invest some time and money to adapt your environment for Zscaler (traffic redirection, software deployment, authentication, etc).
Compared 39% of the time.
Compared 11% of the time.
Compared 9% of the time.
Compared 23% of the time.
Compared 20% of the time.
Compared 16% of the time.
Compared 27% of the time.
Compared 13% of the time.
Compared 8% of the time.
Also Known As
|Cisco ASA, Adaptive Security Appliance, ASA||Cisco Firepower Next-Generation Firewall, FirePOWER||ZIA|
Adaptive Security Appliance (ASA) is Cisco's end-to-end software solution and core operating system that powers the Cisco ASA product series. This software solution provides enterprise-level firewall capabilities for all types of ASA products, including blades, standalone appliances and virtual devices. Adaptive Security Appliance provides protection to organizations of all sizes, and allows end-users to access information securely anywhere, at any time, and through any device.
Adaptive Security Appliance is also fully compatible with other key security technologies, and so provides organizations with an all-encompassing security solution.
Block more threats and quickly mitigate those that do breach your defenses with the industry’s first threat-focused NGFW.
The Cisco Firepower Next Generation Firewall (NGFW) prevents breaches, and can quickly detect and mitigate stealthy attacks using deep visibility and the most advanced security capabilities of any firewall available today - all while maintaining optimal network performance and uptime. With Cisco NGFW you can automate operations to save time, reduce complexity, and work smarter.
Zscaler Web Security provides unmatched security, visibility and control, going beyond the basics of web content filtering. Delivered in the cloud, Zscaler includes award-winning web security integrated with our robust network security platform that features advanced threat protection, real-time analytics and forensics. You'll get protection across every user, location and device, including laptops, smartphones, tablets and Internet of Things devices.
For more details:
Learn more about Cisco ASA NGFW
Learn more about Cisco Firepower NGFW
Learn more about Zscaler Internet Access
|There are more than one million Adaptive Security Appliances deployed globally. Top customers include First American Financial Corp., Genzyme, Frankfurt Airport, Hansgrohe SE, Rio Olympics, The French Laundry, Rackspace, and City of Tomorrow.||Rackspace, The French Laundry, Downer Group, Lewisville School District, Shawnee Mission School District, Lower Austria Firefighters Administration, Oxford Hospital, SugarCreek, Westfield||Ulster-Greene ARC, BanRegio, HDFC, Ralcorp Holdings Inc., British American Tobacco, Med America Billing Services Inc., Lanco Group, Aquafil, Telefonica, Swisscom, Brigade Group|
Financial Services Firm17%
Comms Service Provider11%
Software R&D Company29%
Comms Service Provider16%
Financial Services Firm42%
Comms Service Provider25%
Software R&D Company25%
Comms Service Provider19%
Financial Services Firm6%
Software R&D Company27%
Comms Service Provider13%
Financial Services Firm6%